This is a brief presentation illustrating some best practices around building sensitive workloads in the AWS Cloud as well as how AWS services can make information security rigor much more scalable.
2. • The need for information security hygiene is the same in and
out of the cloud
• The right cloud platform makes security more straightforward
and scalable
The Story in Summary
5. AWS Artifacts - Compliance reports
• Provides customers with an easier process to obtain AWS
compliance reports (SOC, PCI, ISO) with self-service, on-demand
access via the console
AWS Artifact
6. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability
Zones Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & content
Customers
Security & compliance is a shared responsibility
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for
the security OF
the Cloud
19. VPC Flow Logs – See all your traffic
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
21. AWS CLOUDTRAIL – “Cloud” usage logging
You are making
API calls...
On a growing set of
services around the
world…
AWS CloudTrail
is continuously
recording API
calls…
And delivering
log files to you
22. CloudWatch Logs – Centralization of logs
CloudWatch Logs provides a centralized service to
absorb, store, analyze, and take action on a variety
of log sources.
• Operating system logs
• Webserver logs
• Application logs
Use cases
• Centralized log store
• Prevent log modification on instances
• Notifications on events
23. “Based on our experience, I believe that we can be even more secure in the AWS
cloud than in our own datacenters.” - Tom Soderstrom, CTO, NASA JPL
“And of course, security is critical for us. The financial services industry attracts
some of the worst cyber criminals. So we worked closely with the AWS team to
develop a security model which, we believe, allows us to operate more securely
in the public cloud than we can even in our own datacenters.” – Rob Alexander,
CIO, Capital One
“From a physical and logical security standpoint, I believe that, if done right,
public cloud computing is as or more secure than self-hosting.” – Steve
Randich, EVP and CIO, Financial Industry Regulatory Authority, USA
Improving your security with AWS…